PHP Login Sessions Against DB

[kibblerok]

Good Evening,

Just a question regarding sessions and how users are authenticated. There are many threads covering the coding etc, this is more of a logic/theory question.

I have my database that stores user ID and salted password. Once logged in and verified various details are stored into the session including user ID and a hashed 'pass token', these are stored in cookies too for 'remember me'.

On each page check for a valid session, if not found check if cookies are set (and in this case validate), else not logged in.

However if a valid session is found would you validate this against the database for every page load? Are there any drawbacks to this method and and security holes in not verifying against the DB? i have seen opinions that seem to sway on either side of this arguement.

[kromey]

If you find a valid session, general practice says that you assume the user has already validated and you don't validate against the database again. Only when picking up "remember me" cookie(s) or logging in a user who was not logged in already do you check against the database.

There is no point in verifying the session against the DB - how would you do it? If you store the username and password in the session, well you a) are not gaining anything in terms of securing the session because those values remain on the server, and thus it's akin to asking the database "is 1 equal to 1?" on every page load, and b) doing so puts your users at risk if you are in a shared hosting environment because everyone who has an account on that server (i.e. other people hosted on that physical box) can read all your session data.

Google "session hijacking" to learn about the security risks when you don't verify. You'll also find (if you dig deep enough) that there is no practical method for completely preventing session hijacking without putting undue strain on your server and/or causing undue nuisance to your users. Search this forum as well for countless discussions on the topic.

[medicjoe95]

I personally confirm/validate against he database on every page load. Usually I would just simply confirm the pass token, or some sort of session token.

Confirmnig all data, would be a waste of resourses.

[kromey]

What exactly are you validating against the database? If you're validating session variables, then you're wasting resources. If you're validating the session ID, then you're wasting resources (unless you are using database-driven sessions instead of PHP's default filesystem-based sessions). If you're validating other cookie values, you're again wasting resources (although this point is arguable).